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Abstract — A large number of analog chaos-based secure 
communication systems have been proposed since the early 
1990s exploiting the technique of chaos synchronization. A 
brief survey of these chaos-based cryptosystems and of related 
cryptanalytic results is given. Some recently proposed counter- 
measures against known attacks are also introduced. 

I. Introduction 

Since the late 1980s, chaos-based cryptography has at- 
tracted more and more attention from researchers in many 
different areas. It has been found that chaotic systems and 
cryptosystems share many similar properties. For instance, 
chaotic systems are sensitive to the initial conditions, which 
corresponds to the diffusion property of good cryptosystems 
(for a comparison of chaos and cryptography, see Table 1 
in [1]). Basically, there are two major types of chaos-based 
cryptosystems: analog chaos-based secure communication 
systems and digital chaos-based ciphers, which are designed 
employing completely different principles. 

Almost all analog chaos-based secure communication 
systems are designed based on the technique for chaos 
synchronization, which was first discovered in the 1980s and 
then well developed in the 1990s [2], The establishment of 
chaos synchronization between two remote chaotic systems 
actually means that some information has successfully been 
transmitted from one end to the other. This fact naturally 
leads to the foundation of a chaos-based communication 
system. Then, by keeping some part of the involved chaotic 
systems secret, a third party not knowing the secret key 
will not be able to reconstruct the information transmitted. 
Thus, a chaos-based secure communication system is created. 
Following this basic idea, a large number of analog chaos- 
based secure communication systems have been proposed 
since the 1990s. Meanwhile, related cryptanalytic work has 
also been developed to evaluate performance (mainly the se- 
curity) of various analog chaos-based secure communication 
systems. Though a number of surveys have been published 
to introduce progress in this area, they become relatively 
obsolete due to the rapid growth of new research work in 
recent years. 
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The purpose of this paper is to give a brief survey of ana- 
log chaos-based secure communications and related cryptan- 
alytic work, especially focusing on latest work reported since 
the year 2000. This paper is organized as follows. In the 
next section we first introduce some preliminary knowledge 
about the underlying chaos synchronization technique. Then, 
we classify most early chaos-based secure communication 
systems into three basic types. Next, different kinds of 
cryptanalysis are discussed with some concrete examples. 
Finally, we enumerate some new countermeasures that have 
been proposed to resist known attacks. A few concluding 
remarks are given at the end of the paper to express our 
opinion on future trends in this area. 

II. Chaos Synchronization 

Just as its name implies, synchronization of chaos denotes 
a process in which two (or many) chaotic systems achieve 
a common dynamical behavior after a period of transient 
period. Here, the common behavior may be a complete co- 
incidence of the chaotic trajectories, or just a phase locking. 
To achieve synchronization, one or more driving signals 
have to be sent from a source to the chaotic systems to be 
synchronized. According to the source of the driving signal 
and the mode of coupling, there are mainly four types of 
driving modes: 

• directional (internal) driving: one chaotic system serves 
as the source of driving and one or more driving signals 
are sent from this systems to the others; 

> bidirectional (internal) driving: two chaotic systems are 
coupled with each other and are driven by each other 
in a mutual way; 

• network-like coupling: many (more than two) chaotic 
systems are coupled with others in some way to form 
a complex dynamic network; 

• external driving: one or more external signals drive all 
the chaotic systems involved towards a synchronized 
behavior. 

Owing to the nature of secure communications (which means 
secret information transmitted from one end to the other), 
directional driving between two chaotic systems is employed 
for almost all chaos-based secure communication systems. 
Therefore, in this section we focus only on this kind of chaos 
synchronization. 

For chaos synchronization of two chaotic systems with 
directional driving, one of the chaotic systems serves as 
the master (or drive) system, and the other is the slave (or 
response) system. From the communication point of view, 
the master and slave system may also be called sender 



and receiver system, respectively. For purpose of chaos 
synchronization, one or more driving signals have to be 
transmitted from the master system to the slave system as 
external force to influence the the slave system's dynamics. 
As a result of the driving force, the slave system may be 
able to follow the the master system's dynamics exactly or 
in some other forms, thus leading to different kinds of chaos 
synchronization like the following ones that are widely used 
in chaos-based secure communications: 

• complete synchronization (CS, also called identical syn- 
chronization): the simplest form of chaos synchroniza- 
tion, corresponding to a complete agreement of the 
trajectories of the master and slave systems; 

• generalized synchronization (GS): a generalized form 
of complete synchronization for which the the slave 
system's trajectory converges to the master's one in the 
sense of a one-to-one mapping /; 

• projective synchronization: a special case of GS with 
the one-to-one mapping involved being a simple linear 
function /(x) = ax; 

• phase synchronization: the slave system matches its 
phase with that of the master system, though their 
trajectories are not the same; 

• lag synchronization: a time-delayed version of complete 
synchronization for which the slave system coincides 
with the time-delayed dynamics of the master system. 

Due to other aspects of generating the driving signal, there 
are also some other types of chaos synchronization. One of 
them is called impulsive (or sporadic) synchronization, which 
means that the driving signal is not transmitted to the slave 
system continuously, but in an impulsive manner controlled 
by a fixed or time-varying time interval r. 

Another related concept called adaptive synchronization 
is a technique that can help the slave system synchronize 
with the master system in an adaptive way. This concept is 
useful not only for the design of analog chaos-based secure 
communications, but also for the cryptanalysis, because the 
adaption mechanism often implies that a third-party can also 
drive its slave system to the sender and then extract some 
secret information transmitted from the sender to the legal 
receiver. 

III. Analog Chaos-based Secure Communications 

Most traditional analog chaos-based secure communica- 
tion systems can be classified into three basic types: chaotic 
masking, chaotic switching (also called chaotic shift keying 
- CSK) and chaotic modulation. Although many new designs 
have been proposed in recent years, most of them are actually 
modified or generalized implementations of these three basic 
schemes. In this section, we focus on the three basic schemes 
and give a brief summary of their security. More details about 
related cryptanalytic results will be the subject of the next 
section. 

A. Chaotic Masking 

The earliest and simplest form of analog chaos-based se- 
cure communication is chaotic masking, in which a plaintext 



message signal m(<) is embedded into a carrier signal x(i) 
to form a combined driving signal s(t) = x(i) + m(i), where 
the addition operation "+" can also be replaced by similar 
ones such as multiplication. After chaos synchronization is 
established at the receiver side, an estimation of x(i) can 
be obtained and, then, subtracted from s(t) to recover the 
plaintext signal. Figure [T| shows the basic structure of a 
typical chaotic masking system. 



Plaintext Signal m(t) 




Fig. 1. Basic structure of a typical chaotic masking system. 

To avoid the negative influence of the hidden plaintext 
signal on chaos synchronization at the receiver side, the 
energy of the plaintext message signal m(t) should be 
much smaller than that of the driving signal s(t), i.e., much 
smaller than the power of x(i). Since the message signal 
disturbs the driving signal, chaos synchronization cannot be 
achieved exactly and, therefore, the message signal cannot 
be recovered exactly. Another obvious feature of the chaotic 
masking scheme is that the message signal does not influence 
the dynamics of the master system at all. 

The security of chaotic masking is questionable against 
various attacks, mainly due to the fact that an attacker can 
always obtain some information from the driving signal to 
construct (at least part of) the dynamics of the master system. 
As the power energy of the plaintext message must be much 
smaller than that of the driving signal, it seems impossible 
to essentially eliminate this security defect without changing 
the encryption structure. 

B. Chaotic Switching (Chaotic Shift Keying) 

This scheme is mainly used to transmit digital signals. 
At the sender side, two different chaotic systems are used 
for O-bits and 1-bits of the plaintext message, respectively. 
That is, the employed chaotic system is switched from time 
to time by the plaintext message. At the receiver side, only 
one of the two chaotic systems is needed, and the plaintext 
bits are recovered according to whether or not the slave 
system can achieve chaos synchronization with the master. 
Figure|2]shows how a typical chaotic switching system works 
to recover the plaintext message. Note that the two chaotic 
systems at the sender side may be either homogeneous or 
inhomogeneous. If two homogeneous ones are used, one 
chaotic system with adjustable parameters suffices, which 
makes the realization of chaotic switching systems more 
practical. 

To ensure the establishment of chaos synchronization 
between the master and slave systems, the transmission time 
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Fig. 2. Basic structure of a typical chaotic switching (CSK) system with 
(g) denoting the detector of chaos synchronization. 

of each plaintext bit should be long enough. Therefore, the 
transmission rate of a chaotic switching system is generally 
much slower than that of a chaotic masking system. The main 
advantage of chaotic switching is that the plaintext signal 
can exactly be recovered as long as the level of the signal- 
to-noise ratio is not too low. 

It has been known that the above simple chaotic switching 
system is not secure against many different kinds of attacks. 
To enhance the security, some modified chaotic switching 
systems have been proposed in recent years, which will be 
discussed later in Sec. [V] 

C. Chaotic Modulation 

Different from chaotic masking and chaotic switching 
schemes, in a chaotic modulation scheme the plaintext mes- 
sage m(i) is injected into the sender system so that its 
dynamics is changed by the plaintext message continuously. 
In this case, generally an adaptive controller (which can also 
be considered as an extra dynamical system bidirectionally 
coupled with the sender system) is added at the slave 
system according to some rule such that its output m'(t) 
asymptomatically converges to m(i). To follow the master 
system's dynamics, generally the controller's output (i.e., 
m(t)) should be injected into the slave system in the same 
way as in the master. See Fig. [3] for the basic structure of a 
typical chaotic modulation system. Note that in some chaotic 
modulation systems there may be no feedback of s(t) back 
into the master system. 




Fig. 3. Basic structure of a typical chaotic modulation system. 

There are two different types of chaotic modulation: 
(1) parameter modulation, in which the plaintext message 



signal m(t) modulates the values of one or more control 
parameters; (2) direct modulation, in which m(t) is injected 
into one or more variables of the master system without 
changing the value of any control parameter. In some chaotic 
modulation schemes, the plaintext signal is also embedded 
into the driving signal, which can be regarded as a modified 
version of chaotic masking (via feedback of the driving 
signal and some other necessary modifications). 

Compared with chaotic masking schemes, chaotic modu- 
lation schemes can exactly recover the plaintext signal (in 
an asymptotical manner) if some conditions are satisfied. 
Considering that chaotic switching systems can only transmit 
digital signals, chaotic modulation also has a better perfor- 
mance than chaotic switching. In fact, carefully designed, the 
chaotic modulation technique can even be used to transmit 
more than one plaintext message signal. One possible way 
for this is to modulate n control parameters of the master 
system with n plaintext message signals, respectively. 

The main disadvantage of chaotic modulation is that 
the controller depends on the master and slave systems' 
structure, which means that different controllers needs to 
be designed for different master systems. Controllers may 
not even exist in certain cases for essential defects of the 
master/slave chaotic systems. 

IV. Cryptanalytic Results 

Many chaos-based secure communication systems were 
proposed without much security analysis. The security of 
these cryptosystems was simply "ensured" by the underlying 
chaotic systems' complexity. From a cryptographer's point of 
view, however, the complexity of chaos does not necessarily 
mean that a chaos-based cryptosystem is secure. To evaluate 
the security of a cryptosystem, all known cryptanalytic 
methods (i.e., attacks) have to be investigated specifically 
for the target cryptosystem. 

As a basic rule in cryptology, it is always assumed that 
all details about the target encryption algorithm are known 
to the attacker [3, p. 5]. The secret key should be the only 
component unknown to the attacker and used to guarantee 
the cryptosystem's security. 

The first step of cryptanalysis is to estimate the size of 
the key space, i.e., to see if the complexity of exhaustively 
searching all possible keys of a cryptosystem is not crypto- 
graphically high. According to the computational power of 
today's computers, a key space of size O(2 10 °) is generally 
required. 

In the case that the key space is large enough, one needs 
to further investigate the security of the cryptosystem against 
all known attacks, which include the following four kinds of 
attacks (classified according to the resources that an attacker 
can access): 

• ciphertext-only attack: only the ciphertexts can be ob- 
served by the attacker; 

• known-plaintext attack: some plaintexts and the corre- 
sponding ciphertexts can be observed by the attacker; 

• chosen-plaintext attack: some plaintexts can be freely 
chosen by the attacker and the corresponding ciphertexts 



can be observed; 
• chosen-ciphertext attack: some ciphertexts can be freely 

chosen by the attacker and the corresponding plaintexts 

can be observed. 
The chosen-ciphertext attack generally works only when the 
attacker has temporary access to a legal decipher (receiver), 
which is a mirror version of the chosen-plaintext attack at 
the encipher (sender) side. 

Since the mid-1990s, a large number of cryptanalytic 
results have been reported on chaos-based secure commu- 
nications. It has been shown that most traditional schemes 
are not sufficiently secure from a cryptographical point of 
view. In this section, we classify these cryptanalytic results 
into several different categories. 

A. Low Sensitivity to Secret Key 

The most common (and maybe also the most serious) 
problem about chaos-based secure communications is the 
low sensitivity to the secret key (i.e., the control parame- 
ters of the master chaotic system). The low sensitivity is 
a necessary requirement for real implementations of any 
analog chaos-based cryptosystem, because it is impossible 
to ensure exact matching of the master and slave systems. 
Unavoidable noise and manufactural component deviation 
involved in chaotic circuits are the two main factors causing 
this security problem. According to recent results reported 
in [4], [5], it has been verified that most analog chaos-based 
secure communication systems suffer from this defect. 

As a direct result of this low-sensitivity problem, the 
size of the key space becomes much smaller than expected. 
Therefore, a brute-force attack can be mounted to approxi- 
mately guess the secret key, and the estimated key can be 
used later to approximately decrypt the plaintext message 
signals. 

B. Parameter Estimation 

For most analog chaos-based secure communication sys- 
tems, the low sensitivity to the secret key is actually caused 
by a very simple relationship between synchronization error 
and key mismatch: the larger the key mismatch is, the larger 
the synchronization error will be, and vice versa. This means 
that an iterative algorithm can be used to determine the value 
of the secret parameters, which corresponds to the concept of 
"adaptive synchronization". A lot of work has been reported 
about adaptive synchronization when the master system's 
parameters are unknown to the receiver. Some of the work 
can directly be used or easily extended to break analog chaos- 
based secure communication systems [6]-[8]. 

Besides the method based on adaptive synchronization, 
there are also other ways one can use to estimate the secret 
parameters (i.e., the key) of the chaos-based cryptosystems. 
For instance, due to the nature of Lorenz and Chua chaotic 
systems, the secret parameters can be determined from the 
driving signal and its derivative (mainly differentials of 
different orders) [9]— [1 1]. For some specific schemes, it 
is also possible to derive part of the secret parameters by 
analyzing the return maps of the master systems [12]. 



When chosen-ciphertext attacks are possible, i.e., when 
the attacker can access a legal receiver for some time, the 
attacker can set the driving signal to a fixed constant C in 
order to obtain the values of all secret parameters [13]. 

C. Estimating Carrier Signal 

When the plaintext message signal m(t) is hidden in the 
driving signal s(t) = x(t) + m(t), it may be possible to 
recover the approximate dynamics of the master system and, 
then, obtain an estimation of the carrier signal x(t), thus 
leading to an approximate recovery of m(t). This idea works 
for chaotic masking and some chaotic modulation systems. 

The first report about this cryptanalytic method was 
proposed by Short et al. in [14], by employing the NLD 
(nonlinear dynamics) forecasting technique to estimate the 
master system's dynamics from the driving signal s(t) of 
chaotic masking systems. Later he refined this technique and 
extended it for chaotic modulation systems [15], [16]. The 
NLD technique has been widely employed to break many 
simple chaos-based secure communication systems. 

D. Direct Extraction of Plaintext 

For some chaos-based secure communication schemes, it 
is also possible to directly estimate the plaintext message 
signals from the driving signals without estimating the secret 
key or the carrier signals. Many different methods have been 
reported in recent years, mostly for chaotic masking and 
chaotic switching schemes. In this subsection, we introduce 
some of these specific methods. 

1) Return-map Analysis: By constructing some return 
maps of the master system, one may be able to estimate the 
plaintext message signal from the fluctuation (for chaotic 
masking) and the splitting (for chaotic switching) of the 
return maps. This method was first proposed in [17] and 
further developed in [12], [18] for other more advanced 
systems. 

2) Power-spectral (Filtering) Analysis: Though the dy- 
namics of chaotic systems are rather complex, the power 
spectra of their variables are not so complex as expected. As 
investigated in [19], [20], even when the power spectra of 
some chaotic systems seem to be good, significant spectrum 
peaks can still be founded in the spectra by removing 
the symmetries of the chaotic attractors. For instance, the 
spectrum of x(t) in the Lorenz system is relatively good, 
but that of \x(t)\ has a significant peak. When the plaintext 
message signal is hidden in the driving signal, the narrow- 
band spectrum means that the driving signal can be directly 
filtered to recover the message signal [21], [22]. 

3) Power Energy Analysis: For some parameter modula- 
tion systems, the power energy of the driving signal varies 
according to the value of the transmitted signal. This makes it 
possible to obtain a smoothed version of the message signal 
by observing the average power energy of the driving signal 
in a sliding time- window [23]. Exact recovery of the plain 
message signal is possible for chaotic switching systems, 
because each bit has to be held for some time to ensure that 
chaos synchronization is established. 



4) Generalized Synchronization-based Method: For 
chaotic switching systems and some parameter modulation 
systems, there is a simple relationship between the 
synchronization error and the value of the transmitted 
signal. This fact can be exploited to extract the plaintext 
message signal directly [22], [24]. 

5) Short-time Period analysis: When the spectrum of the 
driving signal (or its derivative of some form) involved has 
a significant peak (recall Section IIV-D.2b . generally there 
exists a simple relationship between the peak frequency and 
the values of the control parameters (see Fig. 9 in [20]). 
In this case, one can try to extract the short-time period 
as a measurement of the peak frequency modulated by the 
plaintext message signal. According to the change of the 
extracted short-time periods, the plaintext message signal 
can be extracted exactly (for chaotic switching systems) 
or approximately (for some parameter modulation systems) 
[25], [26]. 

6) Switching-event Detection: For chaotic switching and 
parameter modulation systems, the dynamics of the master 
systems will change significantly when the value of the mod- 
ulating signal (i.e., the plaintext message signal) changes. 
By detecting and tracking these switching events, it may be 
possible to recover the modulating signal [27]. 

V. New Countermeasures Against Known 
Attacks 

To overcome the security problems of most traditional 
chaos-based secure communication schemes, a number of 
new countermeasures have been proposed in recent years. 
Among all the known attacks, the ones based on and the 
NLD forecasting technique have received most attention, 
while little work has done on the low sensitivity to the secret 
key and the security problem of parameter estimation. This 
section lists some of these new countermeasures and known 
cryptanalytic results. 

A. Using More Complex Chaotic Systems 

One widely suggested measure is to use more complex 
chaotic systems rather than three-dimensional systems like 
the Lorenz and Chua systems. Hyperchaotic systems and 
time-delay chaotic systems have been adopted for some 
newly designed chaos-based secure communication systems. 
Unfortunately, a number of recent cryptanalytic results have 
shown that the introduction of hyperchaos or time-delay 
chaos cannot essentially enhance security [7], [22], [28]- 
[30]. 

B. Using More Complicated Synchronization Modes 

Another widely suggested measure is to use more compli- 
cated synchronization modes, such as impulsive, projective, 
phase, or lag synchronization, and so on. Although definitive 
results have not been obtained for the overall performance 
of each new synchronization mode, some security prob- 
lems have been reported for specific schemes [22], [31]. 
It seems that impulsive synchronization is most promising 
as candidate base of designing new chaos-based secure 
communication systems. 



C. Additional Encryption Functions 

In [32], Yang et al. suggested adding an additional encryp- 
tion function (actually the n-fold composition of a piecewise 
linear mapping) to chaos-based secure communication sys- 
tems to enhance the security. This idea was later employed 
by some other researchers. Although there is not too much 
cryptanalytic work about this kind of combined chaos-based 
secure communication systems, a recent result about NLD 
[33] implies that the additional encryption function may be 
circumvented. 

D. Combining Heterogeneous Chaos-based Cryptosystems 

By combining different types of chaos-based cryptosys- 
tems, the security of the resulting system may be higher 
than the security of each constituent. The simplest way 
of combination is to cascade two or more heterogeneous 
chaos-based cryptosystems together, e.g., a chaotic masking 
subsystem plus a chaotic modulation subsystem as proposed 
in [34], or a chaotic switching subsystem plus a chaotic 
modulation subsystem as proposed in [35]. Unfortunately, 
this simple combination has been proved to be insecure [7]. 
So, more complicated approaches of combination should be 
further investigated. 

E. Two-channel Approach 

In [36], two separate channels were suggested to enhance 
the security: one channel only for chaos synchronization and 
the other one for complicated encryption of the plaintext 
message signal. This scheme has been found insecure [37], 
because parameter estimation is still possible by analyzing 
the chaos synchronization channel. 

F. Remodulating the Driving Signal 

In [38] a countermeasure was proposed in form of remodu- 
lating the driving signal before sending it to the receiver side. 
This approach was soon broken [39]-[41], however, and one 
improved version [40] has also proved to be insecure [12] 
as well. 

G. Modified Chaotic Switching Schemes 

To enhance security against the return map attack, it is 
possible to extend a chaotic switching system to include 
2n > 2 chaotic systems [42], in which n systems correspond 
to the plaintext bit and the other n systems to the plaintext 
bit 1 . For each plaintext bit, the sender randomly chooses a 
system from the n candidates and the receiver checks all 2n 
chaotic systems to find out the correct one. In [42] another 
measure is also adopted to further enhance the security, viz., 
to frequently change the driving signal from one variable to 
another. A recent cryptanalytic report has shown that both 
countermeasures are still not secure against the return map 
attack [18]. 

In [43], pseudo-random false switching events are intro- 
duced to enhance security against various known attacks. No 
cryptanalytic result has been reported on this countermeasure 
so far. 



VI. Concluding Remarks 

As most traditional chaos-based secure communication 
systems and many new-generation ones have been known 
to be insecure, novel ideas need to be created to improve 
security. Combining more than two countermeasures may be 
a promising way to get more secure cryptosystem. The low 
sensitivity to the secret key and the potential possibility to 
mount attacks based on parameter estimation are regarded 
as the two greatest problems in almost all analog chaos- 
based secure communication systems, thus deserving more 
attention in future research. 
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